locked
Can't send software to phone and no Internet Access when connected to VPN RRS feed

  • Question

  • Hey everyone, I just got SCMDM installed, here's my setup:

    • DM and Enrollment server installed on a virtual machine with WSUS
    • GW installed on a machine with two NICS (one internal, one external)
    • No firewalls are in place... I wanted to get this working first before I implemented them

    The software installed fine, I have an "Up to date" message for my gateway on the DM server, and the phones are enrolled correctly and I have a check mark by the 'V' icon on the phone. I can ping the phone from both my servers, and I can ping both my servers from the phone (using a ping utility). For some reason, I'm not getting any inventory information from the phone. I also sent a Wipe request to the phone and let it sit overnight, came back to it this morning to see on the DM that it still says 'Pending'. I also have no internet access to any external websites when I'm connected to the VPN. All my logs are clean, and the mobile VPN diag software is showing all green check marks. Anyone have any ideas what could be going wrong, or any tips on where to look to troubleshoot this?

    Thanks!
       - Adam

    • Edited by rekceb Thursday, November 13, 2008 5:07 PM
    Thursday, November 13, 2008 5:07 PM

Answers

  • I think you've got most things in place like they should. But seems like there might still be a routing issue.

    Can you access https://dm-server-adress:8443/TEE/Handler.ashx in the browser on the phone? Since you can ping, this should work and you should be prompted for a client certificate.

    Can you ping the device from the DM server? You need to have a route from the internal network to the device subnet. (You can add this on the DM server.)

    Thursday, November 13, 2008 8:13 PM

All replies

  • I just got the internet to work on my mobile device... was a routing issue on the GW server. I still cannot deploy software or take inventory on the phone, someone help pleasssse!! =)

    - Adam
    Thursday, November 13, 2008 5:55 PM
  • I think you've got most things in place like they should. But seems like there might still be a routing issue.

    Can you access https://dm-server-adress:8443/TEE/Handler.ashx in the browser on the phone? Since you can ping, this should work and you should be prompted for a client certificate.

    Can you ping the device from the DM server? You need to have a route from the internal network to the device subnet. (You can add this on the DM server.)

    Thursday, November 13, 2008 8:13 PM
  • If a Ping doesn't work then maybe try Tracert <Device IP> from the DM server. This should highlight any routing issue.

    Cheers Wayne
    Airloom
    Thursday, November 13, 2008 11:36 PM
    Moderator
  • Hey guys, thanks for the responses!

    Andreas -- I cannot access that page from my phone. Let me give you a little more insight into how I have the networks set up. We have our internal network (192.168.0.0 /24) hosting our AD server, then we have our Server subnet (192.168.99.0 /24) which consists of all the MDM servers. I have internal routing on both firewalls giving clear access to both subnets back and forth. I then have our MDM VPN subnet (10.15.0.0 /24), I can ping the phone devices from all networks. One weird thing I noticed, I have our AD DNS setup on the phones (192.168.0.10) which gives me access to the internet, as well as the ability to ping all computers on our internal subnet. Strange though, the phones are not registering within our DNS.... I added a reverse lookup for that subnet (10.15.0.0 /24). I also adjusted the security settings on our DNS to allow create and delete for the SCMDM2008 Enrolled Devices group as well as the GW and DM servers. Is there something I'm missing here?
    Friday, November 14, 2008 5:27 PM
  • Okay, you were right, another routing issue. I can now access that website from my phone, and indeed, it is asking for a certificate. Now I think my biggest issue is my phones are not registering with my DNS server... is this even necessary? I never saw any good documentation about the phones needing to register in the AD DNS... but I'm assuming they should considering they're now a part of my AD. My DM still doesn't seem to be collecting information from my device, nor are Policy's being applied.

    UPDATE: Now it looks like the device information finally came through, but group policy's don't seem to be applying. Do I need to just wait longer? I ran 'Update-MobilePolicyCalculation'... is this the right command to manually send the new policy to the phone, or is there something else I need to do?
    • Edited by rekceb Friday, November 14, 2008 6:41 PM
    Friday, November 14, 2008 6:24 PM
  • Hi Adam,

    If you ran the Update-MobilePolicyCalculation cmdlet from the PowerShell you probably just need to run the MDM Connect Now tool on the device itself to force it to sync instead of waiting for the next sync cycle.

    You can download it from the from MDM Resource Kit page here:
    http://technet.microsoft.com/en-us/scmdm/cc304591.aspx
    or directly here:
    http://www.microsoft.com/downloads/details.aspx?FamilyId=D07E6997-836A-4ABE-84F3-B563E976B131&displaylang=en

    |\\arco..
    http://marco.blogsite.org


    Friday, November 14, 2008 6:50 PM
    Answerer